Discovered a security vulnerability?

Tell us about it

Vulnerabilities found on listed ESET Websites

Our partnership with HackTrophy helps us to stay ahead of any potential threats. Let us know about any security issues on our websites. Confirmed reports on websites listed below are compensated with monetary rewards.

* ESET Global Website includes the subdomains go.eset.com, cookie.eset.com, search.eset.com and api.eset.com

Vulnerabilities found in ESET products or ESET websites

If you believe you have found a vulnerability in any ESET product or web application that is not defined in Hacktrophy's scope, please inform us confidentially.

If you believe you have found a vulnerability in any ESET product or web application, please inform us confidentially.

Drop us a line

Before submitting the report, please read the Report Policy and Out of scope section. An automatic reply is sent when report is successfully processed by our system and waiting for review from a security specialist. Within three working days a security specialist will send the reporter feedback via security@eset.com. Our target is to provide a fix for confirmed vulnerabilities within 90 calendar days of disclosure. Reports of confirmed and fixed vulnerabilities are rewarded with a goodie bag.

When assessing the vulnerability, use the latest version of CVSS -
we will prioritize our response based on this CVSS score or vector string.

As a CNA for applicable vulnerabilities in our products, ESET will reserve a CVE ID automatically.

Please note that we will not initiate a law enforcement investigation or any lawsuit against you for the content of the report.

Sensitive and Personal information

Never attempt to access personal information or sensitive data. If you obtain sensitive or personal information during your security research, follow these steps:

- STOP your research or actions that include data or personal information immediately

- DO NOT save, copy, disclose, transfer or do any activity related to the sensitive or personal information

- ALERT us immediately and support us in the mitigation effort

Out of scope vulnerabilities

Reports from automated tools or scans
Denial of service attacks
Man in the middle attacks
Attacks requiring physical access to a device
Hypothetical issues that do not have any practical impact
Publicly accessible login panels without proof of exploitation
Findings derived primarily from social engineering (e.g. phishing, vishing, smishing) and other non-technical attacks
Informative severity and low severity issues
Spamming
Clickjacking and issues only exploitable through clickjacking.
Fingerprinting / banner disclosure on common/public services.
Mail configuration issues (SPF, DKIM, DMARC settings)
Descriptive error messages (e.g. stack traces, application or server errors)
HTTP 404 codes/pages or other HTTP non-200 codes/pages.
Disclosure of known public or non-sensitive files or directories, (e.g. robots.txt,crossdomain.xml and any other policy files, wildcard presence or misconfiguration in these).
Nonstandard HTTP method enabled
Missing Security headers such as Strict-Transport-Security, X-Frame-Options, X-XSS-Protection, X-Content-Type-Options
Lack of Secure, HTTP Only and SameSite flags on non-sensitive cookies.
Open redirect that cannot be used to exfiltrate sensitive information such as session cookies, OAuth tokens
Management issues with multiple concurrent active sessions
Host-header injection attacks
Self-XSS and issues exploitable only through Self-XS
CSRF on forms that are available to anonymous users (e.g. the contact form).
CSRF on logout
Presence of application or web browser "autocomplete" or "save password" functionality.
Forgot Password page brute force attack protection and account lockout policies not enforced.
Username or email enumeration without any further impact
Rate limiting issues
Weak Captcha or Captcha Bypass
Use of a known-vulnerable library without a description of an exploit specific to our implementation
SSL issues (e.g. weak/insecure cipher, BEAST, BREACH, renegotiation attacks)

Issues that can be covered by adding a detection signature
DLL injection
DLL hijacking
No SSL in update/download servers
Local AV engine bypasses
Tapjacking
Known vulnerabilities in third party components
Attacks only possible with admin privileges will be evaluated case-by-case

Report Policy

Reach out to us via security@eset.com
Reports and all related materials are encrypted by PGP public key
Include your organization and contact name
Write a clear description of the potential vulnerability
Add all information needed to validate the potential vulnerability
Include the ESET product and module version (see KBs on finding product and module versions) for reports related to the product
Product-related reports should contain a log file from ESET SysInspector if applicable
Proof of concept – please provide as detailed description as you can, including screenshots and video (marked as private when uploaded to stream services)
Mitigation suggestions are highly appreciated
Include the impact that you expect the potential vulnerability has on users, ESET employees or others
We request the reporter to keep any communication regarding vulnerability confidential
Inform about any disclosure plans and coordinate with us
Must be written in the English language